CVE-2024-53865

Name of the Vulnerable Software and Affected Versions: zhmcclient versions prior to 1.18.1

Description: The Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in several cases, including when creating or updating a partition in DPM mode, updating an LPAR in classic mode, creating or updating an image activation profile in classic mode, creating or updating an HMC user, and creating or updating an LDAP server definition. This issue affects users who have enabled the Python loggers named "zhmcclient.api" or "zhmcclient.hmc" and use the functions listed above.

Recommendations: For versions prior to 1.18.1, upgrade to version 1.18.1 to fix the issue. As a temporary workaround, consider disabling the logging of sensitive information by disabling the Python loggers named "zhmcclient.api" and "zhmcclient.hmc" until the upgrade is applied. Restrict access to the log files to minimize the risk of sensitive data exposure.